App Engine remote_api with OpenID

It was fun.

When looking at remote_api, the authentication thread looks something like this:

• Request a user for Google credentials
• Submit credentials https://www.google.com/accounts/ClientLogin
• Parse auth token from response body
• Pass the token https://myapp.appspot.com/_ah/login
• Grab ACSID cookie set in response
• Pass ACSID cookie in subsequent requests requiring authorization

I could not find much documentation on the new OpenID support, but Nick's blog entry was informative.

Here's a test application that I wrote to see how everything works:

app.yaml:

 handlers: - url: /remote_api script: $PYTHON_LIB/google/appengine/ext/remote_api/handler.py login: admin - url: /.* script: test.py 

test.py:

 class MainPage(webapp.RequestHandler): def get(self): user = users.get_current_user() if user: self.response.out.write("Hi, %s!<hr>admin is %s" % (user.user_id(), users.is_current_user_admin())) else: self.redirect(users.create_login_url('/', None, 'https://www.google.com/accounts/o8/id')) 

Turning my login mode between Google accounts and Federated Login, I noticed a few things:

• Administrators are correctly recognized by is_current_user_admin () with OpenID
• Mix mode does not work. With authentication set to google accounts, calling create_login_url using federated_identity raises a NotAllowedError
• The ACSID cookie is still created at the end of the login process, only it comes from / _ah / openid_verify instead of / _ah / login

So what happens with remote_api when using Federated Login? If we use appengine_rpc.HttpRpcServer by default, he obediently follows the same Google account authentication process described above, only the application no longer considers the ACSID cookie returned by / _ah / login to be valid, re still not authenticated, you get a 302 redirect to the OpenID login page, / _ ah / login_required.

I do not know what is the right solution here. This seems to require an update to the API. Maybe Nick or one of the other googlers can weigh.

This is currently a hacky workaround:

• Enable federated login for your application.
• Make sure you pass save_cookies = True when calling remote_api_stub.ConfigureRemoteDatastore for the console script
• Try console authentication and get error 302.
• Logging in as an administrator through the web interface of the application
• In the browser cookie, find the ACSID cookie for myapp.appspot.com
• Locate and edit the local ~ / .appcfg_cookies file.
• Replace the ACSID cookie for myapp.appspot.com using one of the browsers.

The next time you try to use remote_api, it should work without asking for credentials. However, you will have to repeat the last 4 steps every time a cookie expires. You can extend the validity period from 1 day to 2 weeks in the admin console to minimize annoyance. Enjoy!